Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 11 Example Rootkit. Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using.

Published byDale Lester Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 11 Example Rootkit. Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using."— Presentation transcript:

1 Lecture 11 Example Rootkit

2 Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using AMT Detecting rootkits C programming experience Low-level OS knowledge Embedded programming Who can I send?

3 Rustock.B rootkit Frank Boldewin, “A Journey to the Center of the Rustock.B Rootkit”, Jan. 20, 2007 –http://reconstructer.orghttp://reconstructer.org Combines a number of obfuscation techniques found in other malware

4 Stage 1: Ollydbg Drop from Mother Ship –Gives you rustock.exe, a Windows PE Step 1 –In Ollydbg, search for all referenced text strings Not much shown due to obfuscation/packing –Use PEID or Protection-ID tools to determine packer/compiler/protector Not much shown, perhaps a proprietary packer used –Check for unrecognized data in code Code loaded at virtual address of 0x400000 Entry point of Rustock.B at 0x401000

5 Stage 1: Ollydbg Looks like obfuscated code at 0x401B82 –Find references to this address

6 Stage 1: Ollydbg At 0x040198D –PUSH of 0x401B82 followed by RETN –Same as a CALL –Set breakpoint and run –Obfuscated code should be unobfuscated now

7 Stage 1: Ollydbg Not quite, have Ollydbg analyze code –Step through API importing code to obtain API names for subsequent call instructions

8 Stage 1: Ollydbg Find call to kernel32._lcreat –Creates a file called lzx32.sys (kernel mode driver) –Set breakpoint and run again –Select EDI in Registers window and follow it

9 Stage 1: Ollydbg EDI points to C:\windows\system32:lzx32.sys –Use of : instead of \ –Alternative Data Stream (ADS) Hides the driver from easy detection Windows Explorer and cmd.exe do not show ADS Change memory to replace “:” (0x3a) to a “\” (0x5c) Attach ADS to directory since ADS viewers do not show this –Rerun code and step through driver creation –Stop code at lclose at address 0x401cc7 Driver has been deobfuscated and unpacked now

10 Stage 2: PE-Tools Driver now detached –Analyze it in IDA to find obfuscated code –Detached driver code and.idb file in “stage1” directory –Attempt to load in Ollydbg Launch using LOADDLL.EXE fails

11 Stage 2: PE-Tools Change driver –Currently a DLL, a native executable, and contains imports from kernel libraries (NTOSKRNL.EXE and HAL.DLL) –Change to no DLL, a Windows GUI application, and no imports –Fix PE-files using PE-Tools Unmark DLL bit in PE-Tools

12 Stage 2: PE-Tools Change driver –In Optional Header of PE-Tools, change Subsystem value from 1 to 2 (Windows GUI)

13 Stage 2: PE-Tools Change driver –Set RVA and size to 0 –Will be reset later

14 Stage 2: Ollydbg Driver loads now –Same as Stage 1: obfuscated code at 0x116a4

15 Stage 2: Ollydbg Find references to this address 0x116a4

16 Stage 2: Ollydbg Two places with PUSH 0x116a4/ RETN –Set breakpoint and run

17 Stage 2: Ollydbg Analyze code now…

18 Stage 2: Ollydbg

19 Dump debugged process

20 Stage 2: Ollydbg Dump debugged process –Unmark “Rebuild Import”

21 Stage 2 After dump, restore PE-File settings –DLL bit –Subsystem native –RVA and Size of Import directory field

22 Stage 3: IDA Load dumped file into IDA

23 Stage 3: IDA Obfuscated data –Can not use the previous approach

24 Stage 3 Read code at 0x116a4 –Import APIs from NTOSKRNL –Query system modules running –Allocate kernel memory –Unpack routine (0x11788) Unpacks code to kernel memory –Move unpacked code over packed code area –Grab imports from NTOSKRNL and HAL.DLL, destroy PE-Header, rebase API calls –Free unused kernel memory –JMP EAX at address 0x117c8 Real driver created dynamically –Must rip the unpacking code at 0x117d3 and dump whole data as file before PE-Header destroyed and driver code rebased

25 Stage 3 Program included

26 Stage 3: Reversing Rustock.B http://www.sarc.com/avcenter/venc/data/back door.rustock.b.html#technicaldetails

27 Doing it faster with a kernel debugger SoftICE+ICEEXT –Special function in NTOSKRNL.EXE to load driver IopLoadDriver Is not exported by default –Need proper.pdb file of NTOSKRNL.EXE from Microsoft server –Need to convert it to SoftICE format.nms –Problem: SoftICE symbol retriever unreliable –Read Frank Boldewin’s SoftICE howto http://reconstructer.org Alternative –Leech Windows Debugging Tools from MSFT –Read paper for recipe

28 Cleanup Run RkUnhooker

Download ppt "Lecture 11 Example Rootkit. Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using."

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Pokas x86 Emulator for Generic Unpacking By Amr Thabet
Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.

Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.

Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
® IBM Software Group © 2010 IBM Corporation What’s New in Profiling & Code Coverage RAD V8 April 21, 2011 Kathy Chan

® IBM Software Group © 2010 IBM Corporation What’s New in Profiling & Code Coverage RAD V8 April 21, 2011 Kathy Chan
GROUP 2 WINDOWS INTERNALS TOOLS & WINDOWS SDK DEBUGGING TOOLS David Denhollander Kevin Finkler Corey Sarnia Ailun Shen.

GROUP 2 WINDOWS INTERNALS TOOLS & WINDOWS SDK DEBUGGING TOOLS David Denhollander Kevin Finkler Corey Sarnia Ailun Shen.
Module 4.2 File management 1. Contents Introduction The file manager Files – the basic unit of storage The need to organise Glossary 2.

Module 4.2 File management 1. Contents Introduction The file manager Files – the basic unit of storage The need to organise Glossary 2.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Memory Management (II)

Memory Management (II)
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
OllyDbg Debuger.

OllyDbg Debuger.
SRE  Introduction 1 Software Reverse Engineering (SRE)

SRE  Introduction 1 Software Reverse Engineering (SRE)
F13 Forensic tool analysis Dr. John P. Abraham Professor UTPA.

F13 Forensic tool analysis Dr. John P. Abraham Professor UTPA.
Jackson Behling Robert Barclay GROUP ‘I’

Jackson Behling Robert Barclay GROUP ‘I’
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.

OBJECT MODULE FORMATS. The object module format we have employed as an educational device is called OMF (relocatable object format). It’s one of the earliest.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Similar presentations

Ads by Google